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I In 2010, Grigoriev and Shpilmin, introduced some graph-based authentication schemes. We 
present a cryptanalysis of some of these protocols, and introduce some new schemes to fix the prob- 
lems. 
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I - 1. Introduction 

>: 

. We refer the reader to [12,19] for details of the general theory of public- key authentications and 
^:]|e terminology of Feige-Fiat-Shamir-like authentication schemes. The concept of Feige-Fiat- Shamir 
arilthentication scheme was introduced in 1987[5]. It is a zero knowledge proof, which is a procedure 
i^pr a prover (Alice) to convince a verifier (Bob) that a fact is true without revealing anything other 
Cthan the veracity of the fact to be proven. 

In [3,4], graph theory was used for the first time to construct such authentication schemes, in 
^€j3ntrast to the existing ones which were based on number theoretical problems. However in [3,4], it 
^■not clear how the scheme works and why it is secure. 

In [6], Grigoriev and Shpilrain proposed several general Feige-Fiat-Shamir-like authentication schemes. 
They employed some NP-hard problems in graph theory such as graph homomorphism problem(GHP), 
subgraph isomorphism problem(SGIP) and graph coloring problem(GCP) to construct some plat- 
forms. 

After the knapsack cryptosystem was broken, combinatorial-based cryptography fell into disfavor 
(see [10] for an interesting discussion); the above proposals are interesting in the sense they try to 
reintroduce combinatorics in cryptography. In this paper we cryptanalyse some of the proposals of 
Grigoriev and Shpilrain, pointing out some security problems and we propose some new schemes 
fixing these problems. 

The paper is organized as follows: 
In 2.1 we recall the authentication protocol based on graph homomorphism problem. In 2.2 we 
present a cryptanalysis of this scheme. Using this attack the adversary will be able to impersonate 
the prover and fool the verifier. Then in 2.3, we propose a new protocol in the same spirit, based on 
subgraph isomorphism problem which resists the attack of 2.2. In 3.1 we recall another protocol of 
[6], based on the graph coloring problem. In 3.2 we point out a security weakness in this platform 
resulting from an indirect use of graph isomorphism problem. Moreover, in 3.3 we propose a new 



protocol in the same spirit which fixes this weakness. 

2. Cryptanalysis against graph homomorphism based protocol 

In this section, we review graph homomorphism based protocol proposed by Grigoriev and Sh- 
pilrain and present a cryptanalysis against the platform. Also, we propose a new protocol to fix the 
problem. 

2.1 GH-based protocol 

Given two graphs G and H, a homomorphism from (7 to is a mapping ip : G ^ H that sat- 
isfies the following: uv e E{G) (p{u)ip{v) G E{H). The Graph Homomorphism Problem(GHP) 
asks whether or not there is a homomorphism from G onto H. In 1990, Hell and Nesetril[7] 
showed that the GHP is NP-complete unless H has a loop or is bipartite. 

We recall the graph homomorphism-bascd authentication protocol proposed in [6]. 
Alice's public key consists of two graphs, Fi and and her private key is a surjective homomor- 
phism q; : Fi — > To begin authentication: 

1. In the commitment step, Alice picks a graph F together with a surjective homomorphism 
/3 : F — )■ Fi, and sends F to Bob, while keeping (5 secret. 

2. Bob sends Alice a random bit 6 e {0, 1}, the challenge. 

3. If 6 = 0, Alice sends Bob the homomorphism /3, and if h — 1, then she sends the composition 

4. If 6 = 0, Bob verifies whether /3(F) = Fi and whether /5 is a homomorphism; and if h — 1, then 
he verifies whether aj3{T) — F2 and whether aofi is a homomorphism or not. 

The security of this protocol is based on the difficulty of finding a homomorphism a from Fi onto 

F2. 

As mentioned by the authors, an eavesdropper doesn't need to discover the secret keys of Alice 
to attack this protocol. In fact, if he can find a graph, say F' that maps homomorphically onto Fi 
and onto F2, say a' : F' — > Fi and (3' :V' ^ F2, then he can interfere in the commitment step and 
respond to either challenges of Bob. 

In the next subsection, we use this idea to attack the above protocol. 

2.2 Cryptanalysis of the GH-based protocol 

In this subsection, we present a forgery attack against the GH-based protocol by using the fact 
that the tensor product is the category-theoretic product in the category of graphs and graph homo- 
morphisms. The tensor product Fi (8)F2 of graphs Fi and F2 is a graph with vertex set V^(Fi) x V^(F2) 
where two vertices («i,Vi)and (^2, ^2) are adjacent when M1U2 G -E'(Fi) and t'it'2 G £'(F2)[8, p.l63]. 

Now, let F' = Fi ® F2, and define a' -.V ^ Fi and ^' : F' F2 by a'{u, v) ^ u and j3'{u, v) = v, 
for each vertex (m, v) G V^(Fi ® F2). 

One can easily check that a' and j3' are homomorphisms. 

From this we conclude that, an eavesdropper(Charlie) can successfully interfere at the commit- 
ment step and respond to either challenges of Bob as follows: 

1. Gharlie computes F' = Fi F2, a'{u,v) = u and j3'{u,v) = v, for each vertex {u,v) G F' and 



sends F' to Bob. 

2. Bob sends Charlie a random bit b e {0, 1}. 

3. If 6 = 0, then Charhe sends Bob the homomorphism /?', and if 6=1, then he sends a'. 

4. li b = 0, then Bob verifies whether a'(r') = Fi and whether a' is homomorphism; and if 6=1, 
then he verifies /3'(F') = F2 and whether is a homomorphism. 

According to the above procedure, the verifier will be convinced by Charlie that he knows the 
secret keys, hence an eavesdropper will be able to fool the verifier. We conclude that the GH-based 
protocol is completely impractical. 

Next, we propose a new protocol to fix this problem. 

2.3 New proposed protocol based on subgraph isomorphism problem 

In this subsection, we present a new protocol based on the subgraph isomorphism problem to 
fix the above problem. Two graphs Gi and G2 are isomorphic if there is a one-to-one and onto 
mapping (f : Gi — > G2 that preserves adjacency ( and non adjacency), that is uv & E{Gi) ii and 
only if (p{u)(p{v) G -£(^2), for any two vertices u, v e V{Gi). 

Given two graphs G and H, subgraph isomorphism problem(SGIP) asks whether or not H 
is isomorphic to a subgraph of G. In 1971, Stephen Cook[16] showed that SGIP is NP-complete. 
Below we give a description of our proposed protocol based on SGIP. 

Alice's public key consists of two graphs fl and F2, and her private key is a subgraph Fi of fl 
together with an isomorphism a : Fi — )■ F2. 

1. In the commitment step, Alice chooses a graph A which is isomorphic to a subgraph A' of fl with 
Fi C A'. She also chooses an embedding /3 : A — >■ Q (/5(A) = A'), and sends the graph A to Bob, 
while keeping A' and ^ secret. Note that there exists a subgraph F C A with /5(F) = Fi. 

2. Bob sends Alice a random bit b G {0, 1}, the challenge. 

3. If b = 0, then Alice sends Bob the embedding /3, and if b = 1, then she sends the subgraph F C A 
and the composition ao(3\r. 

4. If 6 = 0, then Bob verifies whether /3 is an embedding of A into Jl, and if 6=1, then he verifies 
whether F C A, ao/3\r{T) — F2 and that ao/3 is an isomorphism of F into F2. 

Proposition 1. Suppose that after several runs of the steps of the above protocol, both vahics 
of b are encountered. Then, successful forgery in the protocol is equivalent to finding a subgraph F'j^ 
of Q together with an isomorphism tt : F'^ — > F2. 

Proof. Suppose Charlie wants to impersonate Alice. To that effect, he interferes in the commitment 
step by sending his own commitment A' to Bob. Since he should be prepared to respond 
to the challenge 6 = 0, he should know an embedding /3' : A' — )■ Q. On the other hand, since 
he should be prepared for the challenge b = 1, he should know an isomorphism vr : F' — )> F2 with 
F' C A'. Now, since F' is isomorphic to a subgraph of Q , this implies that he can produce a subgraph 
F' of Q which is isomorphic to F2. This completes the proof. □ 

3. A Weakness in authentication scheme based on graph coloring 

In this section, we review graph coloring based protocol proposed in[6] and point out a weakness 
in the scheme. We also propose a new scheme to fix the problem. 



3.1 GC-based protocol 



Given a connected graph G and a positive integer k < p{G), where p{G) is the order of the graph 
G, a /c— coloring of G assigns a color from {1, 2, k} to each vertex of G so that adjacent vertices 
recieve distinct colors. In 1972, Karp[15] showed that the graph coloring problem is NP-complete. 

Grigoriev and Shpilrain proposed a generic protocol whose difficulty is based on "most any" 
search problem. Then they gave a platform based on the graph coloring problem to illustrate the 
idea of the protocol. The GC-based scheme is described as follows: 

Alice's public key consists of a A;-colorable graph F, and her private key is a A;-coloring of F, for 
some (public) k. To begin authentication, 

1. In the commitment step, Alice picks a graph Fi together with an isomorphism : F — )• Fi, and 
sends the graph Fi to Bob, while keeping the isomorphism secret. 

2. Bob sends Alice a random bit b e {0, 1}, the challenge. 

3. If 6 = 0, then Alice sends Bob the isomorphism (f, and if 6 = 1, then she sends a A;-coloring of Fi. 

4. If 6 = 0, then Bob verifies whether ip is an isomorphism from F into Fi; and if b = 1, then he 
verifies this is indeed a fc-coloring of Fi. 

The authors showed that successful forgery in the above protocol is equivalent to finding a 
/c— coloring of the graph F. In fact this is not true, and we give a weakness in the above proto- 
col in the next subsection. 

3.2 A Weakness in GC-based scheme 

In this subsection, we point out a weakness in GC-based scheme, resulting from the graph iso- 
morphisms used in the construction of the protocol. Using this weakness. Bob will be able to find 
out the Alice's secret key. 

Given two graphs Gi and G2, the Graph Isomorphism Problem(GIP) asks whether or not there 
is an isomorphism (p : Gi ^ (j2- 

Besides its importance in practice, the GIF is prominent in computational complexity theory 
as it is one of a very small number of problems belonging to NP neither known to be solvable in 
polynomial time nor NP-complete. Two other problems which were thought to have the same status 
have been solved in polynomial time: linear programming problem which was shown to be in P in 
1979 by Khachian[9], and the problem of determining the primality of an integer was shown to be in 
P in 2002 by Agrawal, Kayal, and Saxena[l]. 

In [2] , Babai, Erdos and Selkow showed that for almost all graphs X, any graph Y can be easily 
tested for isomorphism to X by an extremely naive linear time algorithm. 

Well known efficient algorithms for finding isomorphisms between random graphs are: Nauty 
algorithm by Brendan Mckay[ll] and Nauty's improvements such as Saucy[14] and Bhss[18]. Nauty 
Algorithm is one of the most efficient and powerful algorithms that solve GIP in polynomial time for 
random graphs with thousands or more vertices. 

On the other hand, some researchers tried to find hard graphs for Nauty-like algorithms. In 1997, 
Miyazaki[13] constructed a family of colored graphs which are hard for Nauty algorithm and require 
exponential time. In 2009, Greg D. Tener[17] introduced " nishe-algorithm" that solves Miyazaki 
graphs in polynomial time. 

Therefore, for many large random graphs we surely can find isomorphisms (if they are isomorphic) 



by using one of the above algorithms. So if we wish to use GIP in cryptography, we must work with 
a small family of graphs, and even with this we can not be sure that someone using a combination 
of the existing algorithms is not able to attack it successfully. 

Moreover, the most important point for cryptographic security is computational intractability of 
a problem on a generic set of inputs, i.e the problem should be hard on "most " randomly selected 
inputs. And this is not the case for GIP. 

Henceforth, we conclude that GIP is not suitable for the design of authentication protocols even 
if it is used in an indirect way. 

Now, returning to GC-based scheme, we see that Bob can fool Ahce as follows: 
Alice sends Bob a graph Fi isomorphic to F. 
<C> Bob sends Alice the challenge b = 1. 
(} Alice sends Bob a A:— coloring of the graph Fi. 

<C> Using an efficient algorithm. Bob will compute an isomorphism ^ : Fi ^ F, and then he easily 
can deduce from ^, a A;-coloring of the graph F, which is the secret key of Ahce. 

A new protocol based on GCP and SGIP will be given in the next subsection. This protocol fixes 
the above problem. 

3.3 New proposed protocol based on graph coloring problem and sub- 
graph isomorphism problem 

As we mentioned in the previous subsection, using graph isomorphism problem is not suitable in 
the design of authentication schemes. Instead, we will use subgraph isomorphism problem and also 
we will use an intermediate graph to hide the secret keys as follows. 

Alice chooses a graph F which contains a A;-colorable subgraph Fi of order n. F, n and k are 
public, while the graph Fi with a fc-coloring of Fi are secret. To begin the authentication: 

1. In the commitment step, Alice picks an intermediate graph A' which is a subgraph of F and 
contains the graph Fi together with an isomorphism a : A — )■ A' and sends A to Bob. 

2. Bob sends Ahce a random bit b e {0, 1}. 

3. If 6 = 0, then Alice sends Bob an embedding /3 : A — > F, and if b — 1, then she sends a subgraph 
F2 C A of order n, together with a fc-coloring of F2. 

4. If 6 = 0, then Bob verifies whether (3 is an embedding of A into F, and if b = 1, then he verifies 
whether F2 is a subgraph of A and that the fc-coloring is indeed a coloring of F2. 

The following result may be proved in much the same way as Proposition 1. 

Proposition 2. Suppose that after several runs of the steps of the above protocol, both values 
of b are encountered. Then, successful forgery in the protocol is equivalent to finding a subgraph Fi 
of F of order n together with a fc-coloring of Fi. 

4 Conclusion 

We cryptanalyzed two graph-based authentication protocols. For one of them, we showed it is 
completely impractical, and proposed a new scheme instead. For a second protocol, we pointed out 
a weakness and proposed a new one, solving the problem. A detailed complexity study of the above 
protocols, precising the kind of graphs to be used, the number of nodes etc, has to be done. We hope 
doing that in the future. 
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